W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP, Fetch, and frame-ancestors

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Jun 2014 09:55:00 +0200
Message-ID: <CADnb78hoKN6St_uC8x6s1_RJ-4-6vB17SN37b3PH5Pw19b1_yA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 9:42 AM, Mike West <mkwst@google.com> wrote:
> Well, there's already a lot of magic hidden away in
> http://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch. All of
> the TLS-handshake, for instance. I don't know what level you'd like Fetch to
> dive down to.

I'm assuming that is defined by the TLS/HTTP specifications. Roughly
what Fetch is doing is defining the missing parts between APIs and
getting a resource out of a URL.


> Frame ancestors seems like something we could reasonably include in Fetch
> (perhaps by pointing to a new hook in CSP, and passing in the request and
> response). I'm not really sure where to stop, however. At some point we
> reach the transport layer, which doesn't seem like what Fetch should be
> concerned with. I guess there's a stopping point somewhere between those
> two.

I don't see how it's lower than Fetch by the way. You need to process
all headers before you know if you're going to follow a redirect. So
it seems like you would know this around step 10 of
http://fetch.spec.whatwg.org/#concept-fetch

I was just thinking that since you need to know something about the
element and its ancestors, a hook in HTML might be more appropriate.


-- 
http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 07:55:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC